STEPHENSON HARWOOD

Cookies on Stephenson Harwood website.

We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service. To find out more about how we use cookies, please view our cookie policy or click close to continue.

Data Protection update - October 2015

Coverage this month includes a round-up of regulator statements issued in the wake of the Safe Harbor judgment. In our cybersecurity section, we outline further high profile data breaches. We also report on a new agreement for international information sharing between data protection authorities, as well as keeping you up-to-date with the latest enforcement actions issued by the ICO.

Safe Harbor

As reported in our October alert, the Court of Justice of the European Union’s ("CJEU") judgment in the recent case of Maximilian Schrems v Data Protection Commissioner held that the European Commission’s decision on “Safe Harbor” (2000/520/EC) (the "Safe Harbor Regime") was invalid and that transfers of personal data outside the EEA relying solely on the Safe Harbor Regime after the CJEU’s judgment are now unlawful. A number of formal statements have now been released.

Article 29 Working Party issues statement
On 16 October, the Article 29 Working Party (comprising representatives from EU Member States’ data protection authorities, the European Data Protection Supervisor and European Commission) issued a statement on the CJEU's judgment.

The Working Party made the following key points:

(i) it is essential to have a robust, collective and common position on the implementation of the judgment;

(ii) Member States need to have open discussions with US authorities to find political, legal and technical solutions to allow transfers to respect fundamental rights. The current negotiations around a new Safe Harbor could be part of such a solution;

(iii) businesses should consider the risks of transferring data and what legal and technical solutions can be put in place; and

(iv) Standard Contractual Clauses and Binding Corporate Rules can still be relied on at this stage.

If, by the end of January 2016, no appropriate solution has been found with US authorities, and depending on the assessment of other transfer tools, the Working Party confirmed that EU data protection authorities are committed to taking all necessary action, which might include coordinated enforcement action.

Statement from the Irish Data Protection Commissioner
In response to the CJEU's judgment, on 20 October the Irish High Court handed down its ruling quashing the original decision of the Irish Data Protection Commissioner not to investigate the adequacy of protection in transfers of data to the US by Facebook. On the same day, the Irish Data Protection Commissioner made an official statement welcoming the ruling and declared the start to an official investigation into the basis of Maximilian Schrems's complaint.

Statement from the German data protection Commissioners
On 21 October the German Conference of Data Protection Commissioners ("DSK"), which consists of German Federal and State data protection authorities, issued a position paper on the CJEU's judgement in light of the Article 29 Working Party's statement.

The DSK reiterated that any transfer of personal data based solely on the Safe Harbor Regime is not permissible. In addition, the DSK went further by casting doubt on the other methods of transferring data outside the EEA, namely the use of Standard Contractual Clauses and Binding Corporate Rules, suggesting that such methods are "also questionable". For the time being, German data protection authorities will not give permission for data transfers to the US based on such methods.

The DSK also called on the European Commission to insist on sufficient guarantees for the protection of privacy in its on-going negotiations with the US and for the German Federal Government to negotiate directly with the US to ensure compliance with an adequate level of protection.

Dutch data protection Chairman makes comments on the future of Safe HarborJacob Kohnstamm, the Dutch Data Protection Authority Chairman, has said that the business community should be "prepared for the worst", i.e. that there should be no transfer of personal data from the EU to the US if based on Safe Harbor. Speaking personally, Kohnstamm took a similar stance to the German DSK, in saying that when reading the CJEU's judgment, "you can't come to another conclusion than saying they [Binding Corporate Rules and Standard Contractual Clauses] in the end will be declared invalid as well".

Kohnstamm confirmed that there would be another meeting of the Article 29 Working Party at the end of November to work out a collective contingency plan in the event that no political decision is reached by the end of January.

Cybersecurity

Investigatory Powers Bill
On 4 November, the draft Investigatory Powers Bill was announced by the Home Secretary in Parliament. The Bill will govern the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies. In its current draft, it includes, amongst others, changes to the parliamentary and judicial oversight of investigatory powers, new "targeted equipment interference" powers for the security services and a provision to require communications services providers to retain communications data, including internet connection records, of users for 12 months.

In announcing the draft Bill, the Home Secretary confirmed that the intelligence services have been collecting phone records flowing through Britain in bulk for a decade under the auspices of the Telecommunications Act 1984.

Talk Talk
On 23 October, internet and phone services provider Talk Talk announced news that its website had been the target of a large-scale attack and that customer names, contact details, bank account details and credit card numbers had been stolen. Talk Talk has reported the theft of 1.2 million email addresses, names and phone numbers, 21,000 unique bank account numbers and sort codes, 28,000 partial credit and debit card numbers and 15,000 dates of birth. In addition to the Information Commissioner stating that it would be investigating, the news raises serious questions over the safeguards that Talk Talk had been using given the relatively simple attack methods used. Various teenagers, including a 15 year old from Northern Ireland, have been arrested in connection with the attacks.

Morrisons
Over 2,000 staff at Morrisons are preparing to sue the supermarket chain following the deliberate leak online of staff details by a disgruntled employee in 2014. Andrew Skelton, recently jailed for 8 years for his actions, posted salary, national insurance and bank details of nearly 100,000 members of staff on the internet. Potential claimants have a period of 4 months to join the group action.

Vodafone
Vodafone recently announced that over 1,800 of its customers' online accounts had been accessed and that contact and bank account details may have been stolen. Unlike the Talk Talk attack, it is thought that the hackers used purchased information to break into the accounts to steal the potentially high-value data.

Marks and Spencer
Marks and Spencer was forced to suspend its website on 28 October after users reported being able to see others' account details and details of purchases. The retailer insisted that it had not been the victim of a cyber attack and that the problem was a "technical issue" that was subsequently resolved.

ICO activity

Agreement on cross border privacy enforcement
On 26 October, the ICO announced the signing of an agreement to join a new tool for information sharing between data protection authorities, the Global Privacy Enforcement Network Alert. The Alert system allows information on investigations and enforcement actions to be shared between data protection authorities securely and legally to allow greater international cooperation.

Enforcement

Crown Prosecution Service
The Crown Prosecution Service has been fined £200,000 after computers containing footage of police interviews with victims of sexual or violent abuse were stolen from a private film studio. The CPS had been using the services of the unnamed film editor, who operated from a residential block of flats with little security. The laptops were subsequently recovered. The ICO found that the CPS had breached the seventh data protection principle (appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and accidental loss, destruction or damage to personal data).

Pharmacy 2U
The online pharmacy "Pharmacy 2U" has been fined £130,000 after selling details of more than 20,000 customers to marketing companies. Pharmacy 2U is the UK's largest NHS-approved online pharmacy and provides electronic prescription services, confidential online consultations, and retail services.

Help Direct UK Limited
The ICO has fined Help Direct UK Limited ("Help Direct") £200,000 for sending thousands of unsolicited marketing text messages in breach of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). This was the first time that the ICO has used its new enforcement powers under section 55A Data Protection Act 1998, as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015, which removed the need to prove "substantial damage or substantial distress" in respect of a serious breach of PECR.

The messages offered services such as the reclamation of PPI payments, bank refunds or loans and all came from devices that were known to have been used previously by Help Direct. The GSM Association’s Spam Reporting Service received 6,758 complaints in April 2015 alone. Help Direct had previously been censured by the ICO in February 2015 and was required to take steps to comply with PECR following 659 complaints for similar messaging, which was a key aggravating factor for the ICO in its decision.

Home Energy & Lifestyle Management Ltd
The ICO recently fined Home Energy & Lifestyle Management Ltd £200,000 for making over 6 million automated calls in relation to "free" solar panels in contravention of PECR and the Data Protection Act. Around 59,500 subscribers had calls connected and the ICO received 242 complaints. Despite providing the option to suppress the calls, often this was not effective and some individuals received multiple calls in a single day.

Anglesey County Council
On 1 October, the ICO issued an enforcement notice against Anglesey County Council after it was found to have failed to comply with the seventh data protection principle. The enforcement notice came in the wake of two failed data protection audits in 2013 and 2014 following security incidents which caused the ICO to issue undertakings in 2011 and 2012. The Council has been ordered to introduce mandatory data protection training, back-up records and ensure that access rights are properly monitored.